Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Use persistent SAML identifiers

Browse source 
Using "unspecified" will always send just the user's (FAS) username,
which has been known to conflict with existing accounts on Gitlab. The
"persistent" name-id format guarantees uniqueness.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
This commit is contained in:
Stephen Gallagher 2022-05-06 12:54:42 -04:00 committed by kevin
parent 7aa6310cc0
commit 7d26c4cde9
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
roles/ipsilon/templates/saml2_data
View file

@ -78,4 +78,4 @@ gitlab id = https://gitlab.com/groups/fedora
gitlab type = SP
gitlab name = gitlab.com
gitlab Allowed Attributes = ["email"]
gitlab metadata = <?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_1b989820-b3a1-4fda-bed3-39c77422a44e' entityID='https://gitlab.com/groups/fedora' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://gitlab.com/groups/fedora/-/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>
gitlab metadata = <?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_1b989820-b3a1-4fda-bed3-39c77422a44e' entityID='https://gitlab.com/groups/fedora' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://gitlab.com/groups/fedora/-/saml/callback' index='0' isDefault='true'/><md:AttributeConsumingService index='1' isDefault='true'><md:ServiceName xml:lang='en'>Required attributes</md:ServiceName><md:RequestedAttribute FriendlyName='Email address' Name='email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Full name' Name='name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Given name' Name='first_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/><md:RequestedAttribute FriendlyName='Family name' Name='last_name' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic' isRequired='false'/></md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>